Cyber Resilience

CVE-2026-29778

HighPublic PoC

Published: 07 March 2026

Published
07 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0002 6.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29778 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Pyload-Ng Project Pyload-Ng. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-29778 is a path traversal vulnerability (CWE-23) in pyLoad, a free and open-source download manager written in Python. The issue affects the edit_package() function, which inadequately sanitizes the pack_folder parameter by relying on a single-pass string replacement of "../". This protection can be bypassed using crafted recursive traversal sequences. Vulnerable versions range from 0.5.0b3.dev13 to 0.5.0b3.dev96, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).

The vulnerability can be exploited by low-privilege authenticated users (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables directory traversal, resulting in high integrity impact (I:H), such as unauthorized modifications to files outside the intended directory, alongside low availability impact (A:L) and no confidentiality loss (C:N).

pyLoad has patched this issue in version 0.5.0b3.dev97. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw.

EU & UK References

Vulnerability details

pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be…

more

bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal in network-accessible pyLoad web function directly enables exploitation of the public-facing app (T1190) and facilitates unauthorized stored file modifications outside intended directories (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35463Same product: Pyload-Ng Project Pyload-Ng
CVE-2025-54802Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-35187Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-42315Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-42313Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-35459Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-33511Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-33509Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-32808Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-26362Shared CWE-23

Affected Assets

pyload-ng project
pyload-ng
0.5.0b3.dev13 — 0.5.0b3.dev97

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of pack_folder input to reject path traversal sequences such as recursive ../ patterns before they reach edit_package().

prevent

Enforces that only authorized file-system operations within the intended package directory are permitted, blocking the unauthorized modifications enabled by the traversal.

prevent

Limits the write privileges of authenticated users so that even a successful traversal yields minimal ability to alter files outside the designated scope.

References